Simplify AuthenticationManagerConfiguration

Simplify `AuthenticationManagerConfiguration` following the recent
Spring Security auto-configuration updates.

See gh-7958

spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/AuthenticationManagerConfiguration.java

@@ -16,7 +16,6 @@
 
 package org.springframework.boot.autoconfigure.security;
 
-import java.lang.reflect.Field;
 import java.util.UUID;
 
 import org.apache.commons.logging.Log;
@@ -31,30 +30,21 @@ import org.springframework.context.ApplicationContext;
 import org.springframework.context.ApplicationListener;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.context.annotation.Primary;
-import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
 import org.springframework.security.authentication.AuthenticationEventPublisher;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.ProviderManager;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
-import org.springframework.security.config.annotation.SecurityConfigurer;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
-import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
-import org.springframework.security.config.annotation.authentication.configurers.GlobalAuthenticationConfigurerAdapter;
-import org.springframework.security.config.annotation.authentication.configurers.provisioning.InMemoryUserDetailsManagerConfigurer;
+import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetailsService;
-import org.springframework.util.ReflectionUtils;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 
 /**
- * Configuration for a Spring Security in-memory {@link AuthenticationManager}. Can be
- * disabled by providing a bean of type {@link AuthenticationManager},
- * {@link AuthenticationProvider} or {@link UserDetailsService}. The value provided by
- * this configuration will become the "global" authentication manager (from Spring
- * Security), or the parent of the global instance. Thus it acts as a fallback when no
- * others are provided, is used by method security if enabled, and as a parent
- * authentication manager for "local" authentication managers in individual filter chains.
+ * Configuration for a Spring Security in-memory {@link AuthenticationManager}. Adds an
+ * {@link InMemoryUserDetailsManager} with a default user and generated password.
+ * This can be disabled by providing a bean of type {@link AuthenticationManager},
+ * {@link AuthenticationProvider} or {@link UserDetailsService}.
  *
  * @author Dave Syer
  * @author Rob Winch
@@ -62,8 +52,6 @@ import org.springframework.util.ReflectionUtils;
  */
 @Configuration
 @ConditionalOnBean(ObjectPostProcessor.class)
-@ConditionalOnMissingBean({ AuthenticationManager.class, AuthenticationProvider.class,
-		UserDetailsService.class })
 @Order(0)
 public class AuthenticationManagerConfiguration {
 
@@ -71,15 +59,13 @@ public class AuthenticationManagerConfiguration {
 			.getLog(AuthenticationManagerConfiguration.class);
 
 	@Bean
-	@Primary
-	public AuthenticationManager authenticationManager(
-			AuthenticationConfiguration configuration) throws Exception {
-		return configuration.getAuthenticationManager();
-	}
-
-	@Bean
-	public static SpringBootAuthenticationConfigurerAdapter springBootAuthenticationConfigurerAdapter() {
-		return new SpringBootAuthenticationConfigurerAdapter();
+	@ConditionalOnMissingBean({ AuthenticationManager.class, AuthenticationProvider.class,
+			UserDetailsService.class })
+	public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception {
+		String password = UUID.randomUUID().toString();
+		logger.info(
+				String.format("%n%nUsing default security password: %s%n", password));
+		return new InMemoryUserDetailsManager(User.withUsername("user").password(password).roles().build());
 	}
 
 	@Bean
@@ -87,91 +73,6 @@ public class AuthenticationManagerConfiguration {
 		return new AuthenticationManagerConfigurationListener();
 	}
 
-	/**
-	 * {@link GlobalAuthenticationConfigurerAdapter} to apply
-	 * {@link DefaultInMemoryUserDetailsManagerConfigurer}. We must apply
-	 * {@link DefaultInMemoryUserDetailsManagerConfigurer} in the init phase of the last
-	 * {@link GlobalAuthenticationConfigurerAdapter}. The reason is that the typical flow
-	 * is something like:
-	 *
-	 * <ul>
-	 * <li>A
-	 * {@link GlobalAuthenticationConfigurerAdapter#init(AuthenticationManagerBuilder)}
-	 * exists that adds a {@link SecurityConfigurer} to the
-	 * {@link AuthenticationManagerBuilder}.</li>
-	 * <li>{@link AuthenticationManagerConfiguration} adds
-	 * {@link SpringBootAuthenticationConfigurerAdapter} so it is after the
-	 * {@link SecurityConfigurer} in the first step.</li>
-	 * <li>We then can default an {@link AuthenticationProvider} if necessary. Note we can
-	 * only invoke the
-	 * {@link AuthenticationManagerBuilder#authenticationProvider(AuthenticationProvider)}
-	 * method since all other methods add a {@link SecurityConfigurer} which is not
-	 * allowed in the configure stage. It is not allowed because we guarantee all init
-	 * methods are invoked before configure, which cannot be guaranteed at this point.
-	 * </li>
-	 * </ul>
-	 */
-	@Order(Ordered.LOWEST_PRECEDENCE - 100)
-	private static class SpringBootAuthenticationConfigurerAdapter
-			extends GlobalAuthenticationConfigurerAdapter {
-
-		@Override
-		public void init(AuthenticationManagerBuilder auth) throws Exception {
-			auth.apply(new DefaultInMemoryUserDetailsManagerConfigurer());
-		}
-
-	}
-
-	/**
-	 * {@link InMemoryUserDetailsManagerConfigurer} to add user details from
-	 * {@link SecurityProperties}. This is necessary to delay adding the default user.
-	 *
-	 * <ul>
-	 * <li>A {@link GlobalAuthenticationConfigurerAdapter} will initialize the
-	 * {@link AuthenticationManagerBuilder} with a Configurer which will be after any
-	 * {@link GlobalAuthenticationConfigurerAdapter}.</li>
-	 * <li>{@link SpringBootAuthenticationConfigurerAdapter} will be invoked after all
-	 * {@link GlobalAuthenticationConfigurerAdapter}, but before the Configurers that were
-	 * added by other {@link GlobalAuthenticationConfigurerAdapter} instances.</li>
-	 * <li>A {@link SpringBootAuthenticationConfigurerAdapter} will add
-	 * {@link DefaultInMemoryUserDetailsManagerConfigurer} after all Configurer instances.
-	 * </li>
-	 * <li>All init methods will be invoked.</li>
-	 * <li>All configure methods will be invoked which is where the
-	 * {@link AuthenticationProvider} instances are setup.</li>
-	 * <li>If no AuthenticationProviders were provided,
-	 * {@link DefaultInMemoryUserDetailsManagerConfigurer} will default the value.</li>
-	 * </ul>
-	 */
-	private static class DefaultInMemoryUserDetailsManagerConfigurer
-			extends InMemoryUserDetailsManagerConfigurer<AuthenticationManagerBuilder> {
-
-		@Override
-		public void configure(AuthenticationManagerBuilder auth) throws Exception {
-			if (auth.isConfigured()) {
-				return;
-			}
-			String password = UUID.randomUUID().toString();
-			logger.info(
-					String.format("%n%nUsing default security password: %s%n", password));
-			withUser("user").password(password).roles();
-			setField(auth, "defaultUserDetailsService", getUserDetailsService());
-			super.configure(auth);
-		}
-
-		private void setField(Object target, String name, Object value) {
-			try {
-				Field field = ReflectionUtils.findField(target.getClass(), name);
-				ReflectionUtils.makeAccessible(field);
-				ReflectionUtils.setField(field, target, value);
-			}
-			catch (Exception ex) {
-				logger.info("Could not set " + name);
-			}
-		}
-
-	}
-
 	/**
 	 * {@link ApplicationListener} to autowire the {@link AuthenticationEventPublisher}
 	 * into the {@link AuthenticationManager}.

spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityAutoConfiguration.java

@@ -28,21 +28,17 @@ import org.springframework.security.authentication.AuthenticationEventPublisher;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
 import org.springframework.security.config.annotation.authentication.configurers.GlobalAuthenticationConfigurerAdapter;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 
 /**
  * {@link EnableAutoConfiguration Auto-configuration} for Spring Security. Provides an
- * {@link AuthenticationManager} based on configuration bound to a
- * {@link SecurityProperties} bean. There is one user (named "user") whose password is
- * random and printed on the console at INFO level during startup. In a webapp this
- * configuration also secures all web endpoints (except some well-known static resource
- * locations) with HTTP basic security. To replace all the default behaviours in a webapp
- * provide a {@code @Configuration} with {@code @EnableWebSecurity}. To just add your own
- * layer of application security in front of the defaults, add a {@code @Configuration} of
- * type {@link WebSecurityConfigurerAdapter}.
+ * {@link InMemoryUserDetailsManager} with one user (named "user") whose password is
+ * random and printed on the console at INFO level during startup. In a webapp, this
+ * configuration also secures all web endpoints (including static resources).
  *
  * @author Dave Syer
  * @author Andy Wilkinson
+ * @author Madhura Bhave
  */
 @Configuration
 @ConditionalOnClass({ AuthenticationManager.class,